On 9/23/10 9:50 AM, Mr Dash Four wrote: > >> That doesn't need Shorewall support -- just set that context first for NEW >> connections then override it for specific applications. >> > I was not sure is the matching mechanism in secmarks the same as in the > rules file (i.e. first match wins)? > > If that is so, then - you are right - I could include a capture-all rule > for this 'dummy' context right at the end
No -- it must be at the beginning. > but this is also true for the > policy and rules files as well - I could always include a capture-all > ALLOW/DENY at the end of the rules file and that will, in effect, be the > same as specifying exactly the same thing in policy file, wouldn't it > (in fact, I think I remember in the early Shorewall versions that used > to be the case, right?)? No -- Shorewall has always had a policy file. And The compiler complains (warning) if you add a rule that is, in fact, a policy (e.g. ACTION, SOURCE, and DEST and nothing else). > > So, I guess what I am really after is something similar to the policy > file, but for secmarks. Sorry -- I don't believe that it is worth the effort. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
